Slashdot Mirror
JavaScript Malware Open The Door to the Intranet
An anonymous reader writes "C|Net is reporting that JavaScript malware is opening the door for hackers to attack internal networks. During the Black Hat Briefings conference Jeremiah Grossman (CTO, WhiteHat Security) '...will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers ... As we're attacking the intranet using the browser, we're taking complete control over the browser.' According the the article, the presence of cross-site scripting vulnerabilities (XSS) dramatically increase the possible damage that can be caused. The issue also not which-browser-is-more-secure, as all major browsers are equally at risk. Grossman says 'The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.'"
Caveman Zonk edit headline bad.
It's not offtopic, dumbass. It's orthogonal.
A good website shouldn't rely on client side scripting
Why can't users just install Firefox and NoScript extension for it. Then Javascript will be disabled by default, but user can whitelist the sites where Javascript should be enabled. Problem solved.
Giving JavaScript the power to do random network accesses may make AJAX possible, but code running in my browser has no business accessing my local intranet. For that matter, I'm uncomfortable with JavaScript applications 'phoning home' without my knowledge.
So, the fix is to treat all attempts by JavaScript in a browser as 'hostile until proven otherwise', and to ask for user confirmation when such attempts happen. Put a firewall around the browser and treat any code running in it as dangerous by default.
I predict 2 weeks before there's a FireFox update for this, and 2 years before MSIE fixes the problem.
My blog
Poor little "s" was heard sobbing because it was left out unlikified. Zonk, don't you think of the children?
It's not just javascript, flash content, activeX and java applets should all be disabled site-wide. Any network admin that leaves js enabled in browsers (acrobat reader etc) should probably seek employment in some other field. Anything less is irresponsible!
For about a year now I routinely install a whitelisting firefox extension called NoScript
It blocks javascript per-site until I choose to whitelist the site: Not only do I get a great deal fewer annoyances interrupting my browsing, but it also cuts out a lot of web advertising (the AdBlock extension makes my browser drag when fully loaded with filters)
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Me, Grimlock, like headline. No want it change.
"I think so, Brain, but 'instant karma' always gets so lumpy." - Pinky
"Decepticons FOREVER!!!" - Ravage
"Then Javascript will be disabled by default, but user can whitelist the sites where Javascript should be enabled. Problem solved.
The consequences of disabling Javascript can lead to a host of new problems. I used to disable javascript and enable it by whitelist. Then I registered a piece of shareware, paid by credit card, and waited. Of course since the whitelisted servers forwarded off to some other entity which provided the registration pages, it never came back. So I figured out the servers that it was dealing with, whitelisted them, and reregistered.
Naturally I got double-billed. The shareware provider kindly fixed that situation, and I was credited, but this situation was a good example of why whitelisting sites is not the solution.
As daft as this may sound. I think a simple solution would be to prevent the JavaScript from accessing any private IP's such as as those defined in the RFC's, those being. 10.0.0.0 172.16.0.0 192.168.0.0 .
If someone happens to be running networks and sub-nets other than those they are no longer in a 'local' network as their machines are at risk per se due to their traffic being fully routable on the net.
I see every reason for the JavaScript to go and pull and push data from sites all over, but there is zero need for it to use these local restricted addresses.
Maybe this is too simple? Maybe that is why it has been overlooked.
This is slightly off-topic, but it's kind of relevent to the solution of turning javascript off. Can anyone explain to me why javascript is required in Firefox to open a .wmv file (in windows, obviously)? And more importantly, what bug makes Firefox crash about 33% of the time when visiting a site that has one on it when javascript is disabled? What are the odds that bug is overflow exploitable?
What might be smart is an extension hooking into the security subsystems in Firefox to allow the browser to do into "Paranoid Mode" when browsing any site not on the user's favourites or safe-list.
Paranoid Mode would block all plugins, cookies and javascript, and optionally have a "click-to-load" button in place of content from other servers
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
You'd need to taint all js initiated requests for that to work and even then how would a browser handle a HTTP redirect to an internal IP?
The simple solution is to disable javascript and insist web sites work without it.
From what I read on the article and its links, the problem isn't that clients attack servers, its that servers attack clients.
Its not than web developers are relying on client-side code, they're exploiting client-side code in order to attack the client.
Android Software Engineer
I have been asking for years why we can't disable javascript for all but trusted sites (in phoenix/firefox/etc) via a config facility.. The default when browsing should be OFF.
Websites need to stop using javascript for conveying simple information. That Flash crap too. Most people just laugh when I say javascript is a security hole.
And people will do it anyway, thinking they are 'safe'.
---- Booth was a patriot ----
And it found some, but not all the web-enabled devices on my network. It found my web server and correctly identified it as Apache, found the squid proxy running on the gateway/firewall machine (identified as "unknown"), but failed to find my wireless router (through which it had to pass in order to see the rest of my network), or my print server. It also identified as "exists" several IP addresses on which no machine or device exists.
But the Firefox "NoScript" extension completely blocked it until I told it to temporarily allow the host site.
So in response to a post saying a particular technology has security holes, the consensus "solution" is not to use that technology?
That seems weak to me. By all means propose replacement solutions that do the same job, but by saying "don't use it" all you're really doing is saying "I personally have little use for it".
Sysadmins should all disable Javascript?! Fine, go ahead, I'll move to a company with less demanding security requirements. You'll find your network's impressively secure once there are no users left.
pwn3d
NoScript just blocks the javascript...doesn't send it off to somewhere else nor creates any "whitelist". If you're at a site that you need Javascript to run, the little icon down in the lower right hand corner will have a pop-up menu to enable Javascript for that site you're on. You can have it enabled just for that session or permanently.
I've used NoScript now for quite a while and I love it.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
Look folks, this isn't rocket science. Given the current state of Computer Technology, downloading obscure programs from a remote source outside your control and running them can't possibly be a good idea. It may occasionally be necessary, but it's something that should be done as rarely as possible. If you don't even know the programs are there because they are buried in web pages, that just exacerbates the problem.
The answer: Turn off Javascript, and let the web site designers find some other way to entertain themselves. Forcing web sites to use HTML and server side scripting may limit their style and the coolness of your user experience, but if you want your computer(s) and network to be somewhat secure then you better forget Javascript. Personally, I have only one Javascript enabled browser (Firefox) and I try to use it only with sites like Google and a handful of others that I consider to be trustworthy.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
...I think this is only relevant to IE and MS [again]. As to sending commands to a 'router' to turn on wireless (if I even had a router that had wireless) is pants unless the 'owner' of the router wasn't the person using it (i.e. an ISP package). The interface must be open to allow this to happen.
So, the problem is with MS (again) and 'harry home owner' type people that don't have a clue about anything, so just run with the flow [OK].
This talk of Javascript malware frightens and scares me, but one thing I do know is this... Zonk should "edit" since he is an "editor."
"So in response to a post saying a particular technology has security holes, the consensus "solution" is not to use that technology?"
It's nice to know that the advice we give Microsoft users, doesn't just apply to them anymore.
Yes it is. Users could also politely point out to the authors and administrators of the majority of web sites which rely on javascript that they really, absolutely, positively don't need it. You don't need javascript to open a link to another page. You don't need javascript to open an image in a gallery. You don't need javascript to submit a username and password. You just don't need it. I would say that using scripted actions for that is lazy and stupid, but it actually involves a good deal more work than using proper HTML. That makes it just plain stupid.
For the rare applications which actually require javascript and don't just use it as some kind of prostetic weiner replacement there is always the option of enabling scripting on a site by site basis. Turning scripting on for http://trusted.internal.site.on.your.local.net/ but not for http://random.russian.warez.and.porn.site/ really is a solution.
JavaScript malware can be just as easily contained as a large number of other malware can: careful watch of what the user's actual needs are. I deny all javascript by default, and if I absolutely MUST use it, enable it per session (in Firefox). This is another issue where ease of use is the real culprit, rather than a fundamental weakness. Compare this to the WMF issues, which do constitute a fundamental weakness. Javascript is behaving as it should, as is your browser. Many people deride such arguments with the idea that most people are not interested/savvy enough to look after such things, but this is no excuse. It takes comparatively little time to find a quick and easy solution to javascript malware, and this hardly requires a deep understanding of javascript....
Oses or third parties now have an opportunity:
Sandbox web-enabled applications, either individually or as a set.
Even better: Sandbox sessions. Any address I type into my web browser, any link I open from a saved bookmark, or any link I open with a "open in new sandbox" command, gets a new sandbox.
For home users, sandboxes get access to just the default gateway, they can't touch 127.0.0.1 or 192.168.1.x. They get read-only access to parts of the filesystem, such as where Java applets are stored, and read-write access to their own temporary space and, optionally, a directory where users can save files by hand. Alternatively they may get "dropbox"/read-directories/write-files access to other parts of the filesystem, such as directories the current user can write to.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Ah, the simpler days of gray backgrounds and Times New Roman. None of these fancy tables, neither. And we had to walk 5 miles to school, uphill, in snow up to our hips. And 10 miles uphill to get back home. Kids today with their fancy JavaScript. No appreciation, none at all.
Do you have a flag?
How anyone can just not use a simple extension to block scripts, flash, java, etc like the Firefox NoScript extension is just confusing to me. People actually seem to want to run foreign applications on their system through sites which can quite easily load anything they want.
Make it clear to your family that the modern Internet is like the real world. Protecting your computer with either a secure Internet Explorer (eg: the default Windows 2003 IE config) or Mozilla Firefox (with the NoScript and CookieSafe) configuration is like leaving your car unlocked in a inner-suburb train station... It will get broken into!
For those affected by these issues: welcome to the real world. Grow up, plug in, learn what the hell your doing on this internet.
You should need a licence to even have an Internet Connection.
The detection of IP addressed that aren't running webservers seems to depend entirely on the time taken for the request to fail - long delays are detected as non-existent IP addresses, whereas short ones are reported as IP addresses without a webserver. This doesn't always work - it seems to give false positives if the IP address is detected as nonexistent too quickly, and could give false negatives on slow or unreliable links.
In addition, if a machine has a webserver on it but requests for / give an error, it is detected as having no webserver. This gets particularly interesting with webservers that require HTTP authentication to access any page, and where the browser doesn't have the login stored: a password dialog pops up, and if you don't respond fast enough, the IP address is detected as non-existent. In addition, unless you enter the correct username and password, the machine is detected as not having a webserver.
Finally, although they can carry out whatever GET requests they like, the only information about the response they can get is whether the request succeeded or failed. (They could probably do POSTs too, but I'm not sure if they'd even be able to get that much information back).
Cross Site Scripting FAQ
Believe me, if I started murdering people, there would be none of you left.
What, exactly, is wrong with the headline? The term "malware" can be either singular or plural, making the singular "open" perfectly acceptable.
Aside from inconsistent capitalization, you can't fault him on grammar.
by every smtp server, in MS networks even the netbios name is broadcast in the smtp headers
who cares about about internal IPs, go on you can hack me at 192.168.0.1-192.168.100.0
The answer with all these technologies is to get away from the "everything is permitted, everything links to everything else" model that Microsoft promoted till it ran into trouble, and work out a way of implementing security policies that are comprehensible and that work.
Pining for the fjords
Oh what utter tosh. It's no wonder there are vunerable web sites out there if you think that's an acceptable attitude.
Guess what, I'm a consultant too, but I actually make to the time to keep myself away of these things. Cross site scripting is a simple example, all it takes is for you to remember to encode any output that has come from user input, and pretty much all the server side languages and frameworks have helper functions for this. The fact that you absolve yourself from not knowing about it by saying we don't have time is awful. The fact that you consider a site working reliably if you cannot be sure it's secure is even worse.
The ideal place for security is everywhere and if you aren't telling your clients that than frankly you're not a consultant, but simply a con.
Spyware by any other name, cross site Flash access (so it can execute code) and flash cookies
With Firefox, enabling image loading ONLY for the original web site breaks the scanner (and hides 95% of the ads)
In fact the article explains some of the methods and they will happily work on Mozilla as well;
I'm pretty sure I can use javascript in mozilla to create image objects. Why I can do it in Opera too. And if you actually went to the proof of concept page and tried it you would have confirmation it is NOT an IE only problem.
It also blocks the attribute, something which won't be introduced until Firefox 2 and for which it's possible to set a pref in about:config. Also, it doubles as an egg timer!
Seriously, NoScript is great, but if I want to block flash I'll install Adblock or Flashblock. If I want to whitelist sites for javascript then I'll use NoScript. Whatever happened to the concept of simply doing one thing well?
Wide Area Network distributed computing has evolved in a bad way. Web standards are not designed for remote interactive applications and operating systems are not designed for executing remote code.
We just need to redesign the thing from the bottom up, now that we have learned the ups and downs.
The vast, vast majority of exploits involve JavaScript in one way or another. If it were possible to just "turn off" JavaScript world-wide overnight, the number of exploits would drop down substantially. Of course you would still have the "stupid user" problem, but you can only do so much to combat that.
As far as browsers are concerned, a large percentage of exploits are being written by / for criminal elements for profit. To this end, they maximize their profit potential by targeting the most prolific browser. For now, FireFox and others are relatively safe. We have seen a few things come out lately, but they are really just toys compared to what is out there for Internet Explorer. These people writing the exploits are, unfortunately, rather smart and clever. When it becomes econically feasible for them to target FireFox / Mozilla / whatever, make no mistake about it: they will. That is when we will see how secure that software really is.
This is where people bring up the IIS vs Apache argument. My only answer to that is that there is little money to be made in compromising web servers. There are a few cases of corporate espoionage, but most of the time it is ego-driven: defacement, spreading worms, etc. A competent webadmin will eventually discover the breach and fix the system, so there is not a long window of opportunity. Compromising millions of home users' PCs without them even knowing it is much better profit-wise; you can spam the shit out of anything pretty much with impunity, and people will pay you good money to do it. So these kinds of people target what they are familiar with: Microsoft. I think compatibility also plays a role. Any Windows server running IIS can run any Windows binary. This is patently untrue of Linux servers running Apache; there are so many different combinations of distributions, libraries, and architectures that binary compatibility is very small if it even exists. Microsoft is an easy target because it is such a monoculture.
I'll have the roast duck, with the mango salsa...
Your grammar frightens and confuses me.
It's not offtopic, dumbass. It's orthogonal.
It's just a joke at Zonk's expense, and last I heard, he has a sense of humor and can take a joke.
It's not offtopic, dumbass. It's orthogonal.
It's possible to cater for both JavaScript-enabled browsers and those many, many, many text browsers and version 2 browsers being used out there. Websites that do so are typically called "downgradable".
The decision whether or not to do so mostly depends on whether you intend to produce a web site (open and available for all to see) or a web application (a client/serverside application that just happens to be presented inside a web browser). I know that's a blurry line of distinction. Usually people decide whether something is one or the other based on a certain level of dynamic interaction. My golden rule on website vs. web application is this: if you have to pass through a login screen, it's a web application. If not, it's open to the public and is a web site.
Why is this important? If you have to log into a system, you'll first need to be approved by a system administrator. I don't see what's so bad about that system administrator placing certain restrictions on his users, such as supporting only the comparatively more secure browser Firefox. Sometimes, this isn't possible as it breaks some zero-install requirement.
You don't need javascript to open a link to another page. You don't need javascript to open an image in a gallery. You don't need javascript to submit a username and password. You just don't need it.
You don't need it - you want it. You want it to make the entire web experience better.
From a security standpoint, everyone should be on lynx or similar browser. From the user standpoint, Javascript is essential (see maps.google.com, or gmail) for a good web experience. Images are fundamental. Web is not static HTML any more. We now live in the world of DHTML and security is just going to have to deal with it.
Javascript is broken if it allows you to access other than non-remote resources (ie. from original website) and some settings available to it from the browser (windows size, etc..). That's what it is there for and other uses should be disabled. We already see it with the JS popup blockers. Similar security for network accesses should suffice.
Similarly with Java, Flash and other things.
Comment removed based on user account deletion
Poor little "s" was heard sobbing because it was left out unlikified. Zonk, don't you think of the children?
Unlikified?!? Excuse me, but what exactly are you thinking about the children???
-Mike
I'm sorry; I don't know what I was thinking!
Comment removed based on user account deletion
If you're not using NoScript, you're like a person who leaves his car unlocked in a bad neighborhood. We feel slightly sorry your radio was stolen, but we also feel sorry you lacked common sense. No?
HTML, CSS and server-side CGI. If there's something you REALLY can't achieve with that, then make a "web app" in java (or whatever) and let the user download and run it. Those few extra clicks are great security AND make it vastly easier to put together a useful and usable application.
I'm sorry we didn't state all of this stuff explicitly, but I think it's quite obvious what we mean. The web is simply not a good environment for running complicated software, but luckily we all have general purpose operating systems a click away.
I, for one, welcome our new strange grammar overlords
Your ad could be here!
How amusing (or abusing). Javascript AJAX style script to call those home firewalls or cable modems and abuse the poor end user. DOCSIS Cablemodems support http://192.168.100.1/ and many have diagnostic. I bet you could create a simple library that could regex the results of a javascript request to it and then reset the modem, etc. Plus all of those lovely DSL Modems and Firewalls with default passwords. Reminds me of the fun embedding modem control values in IRC commands. How long until hitting a web page has a chance of resetting your DSL modem, your cable modem, or your home firewall. Come visit my site at http://link/ removed]
Took the words out of my mouth. Funny how people bitched about designers treating the browser like print media, but turn right around and bitch that the browser is being used as more than a green screen.
:)
--
Hey! My confirmation word is "astute".
"Sysadmins should all disable Javascript?! Fine, go ahead, I'll move to a company with less demanding security requirements. You'll find your network's impressively secure once there are no users left."
I'll toss this here. After reading this. I've wondered if a browser bridge could be built into a JabberNet(TM) as it were.* When your browser hits the xmpp equivalent of Apache (using the xmpp extension, just like coldfusion uses CFM). One would gain functionality that HTTP doesn't allow, and maybe better security, as well as easier programming on both sides (the state issue would be easier to handle). Any thoughts?
*It could even layer over a true P2P infrastructure, or simply be a substitute for the HTTP web (with a better discovery than DNS).
Opera browser from version 7.x (IIRC) already had the switch for enabling/disabling javascript. It was one-click away.
In the latest version however (9.0) they much more improved this capability:
F12 --> Enable(disable) javascript
and it is a global setting.
Right click --> Edit site preferences
and you get the per-site setting.
No fancy extensions to be aware of, to search for, and to download. All out of the box.
Forgive me if it's not enough.
Things a browser can do to sandbox itself:
On install:
1) create a very-limited-user account, much more limited than the usual "limited user" account.
2) Assign the privilages to the directories and other resources it needs, including explicit DENY privilages it everything it doesn't need.
3) Deny direct access to internet services, filesystem, launching of other applications, and any other abusable things [assuming such a thing is possible]
4) Install a service, running as a different limited-user, to allow indirect calls to such features. Let's call this the threat-mitigation module.
On run:
1) Change to the very-limited-user
2) route all internet traffic by application and plugins through the sandbox
3) if it is called in a way that requires creating a new sandbox, the threat-mitigation module will make sure the sandboxed environments can't see each other.
Yes, it's easier said than done and the Windows architecture may make it difficult, but it should be doable by a sufficiently motivated and budgeted programming team.
The above is not the only solution to the problem. Furthermore, it may be incomplete or erronious. But it should get you thinking.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You don't need it - you want it. You want it to make the entire web experience better.
Nonense. Using javascript for any of the things the parent mentioned is regressive. Apart from the things the sibling posters have mentioned it can also break:
All this lost for zero improvement in functionality. Javascript has it's uses but using it to replace existing functionality is just evidence of a poor web designer.
Oh, and by the way, marketing drivel, what javascript is often used for, does not improve the "web experience". Many so-called web designers wouldn't know what a good web experience was if it jumped up and bit them.
---
Don't be a programmer-bureaucrat; someone who substitutes marketing buzzwords and software bloat for verifiable improvements.
this sounds monster serious :( :(
stupid javascript
oh well it is dead obvious tho, being able to
command "calculations" on a client side is a bad idea.
JavaScript is not *supposed* to be able to do bad things like this. It has many safeguards built into it to avoid this.
The real problem is that the browsers have bad code in their JavaScript implementations. This is what needs to be fixed.
Also, web browsers probably should run using CreateRestrictedToken. I wish web browsers would run with lower privilege than your normal user applications. You could have 2 processes, one that runs at normal privilege and one that runs as a restricted token. Almost the entire browser would be under the restricted token. Really, the only exceptions should be when downloading or uploading files, at the user's request of course. Such things can be done over interprocess communication with a well-defined and hardened interface.
I guess that the big problem is that NT and Linux don't really have a way to do this. The only way I can think of this working is for the browser to run as a separate user account. That requires administrator access to set up, as does running a second process as a different user.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
These kinds of problems (and my disinterest in bells and whistles and disdain for being FORCED to turn on Java Script to read a frackin' web page) are why I want to yell, "turn that shit off!"
So, I ONLY activate JavaScript in Konqueror on a page-by-page basis. I have it AND Java turned off by default. When the page is done, I destroy the history folder and sometimes nuke the cookies. I also in my firewall at the eth device and LAN device, as well as in the ports and as well as in Konqueror's cookies manager manually and malevolently blacklist or forbid connections to OR from all sorts of shit, from akamai, to double-dick to anything that is spawning the bazillions of port requests. This shit just annoys me that when I want a quick read, I have to witness umpteen connections due to all those adverts, king wizard page gimmicks and such. (I think I have over 200 sites blacklisted in the inbound and LAN portions of my firewall.)
I'm at the point where if a site asks for many cookies, I just ban the whole site and try to remember that its slow loading is because I banned my computer from letting me see it.
(I guess I'm overreacting, but it's as frackin' annoying as noise pollution by firetrucks blaring at 200 decibels moving at 5 miles per hour. I don't know who to curse: them for not turning the thing down or pausing it, or the idiot drivers in front who are oblivious to the truck. Dumbasses with their CDs up loud or who just don't check the rearview are why I advocate giving police cars and emergency response vehicles the ability to white noise certain automobile audio devices so lame-ass driver get the hint: the FRAKIN' ROAD is NOT all about YOU.)
But, I suppose we're going to see exploits that circumvent the turn-java-script-off setting. Or, it could just force web developers to change for the better for site visitors. I am of the feeling there is a LOT of shit we don't need on web pages, but some people want to show off their prowess, their calling card, and overcomplicate the visit. Either that, or they have WAYYYY too much information their company is trying to present and are being too cutting edge about it.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Like these.
While I don't use NoScript (instead I have an inline web-proxy to filter all my browsers) I don't consider it overreacting. My default here is no cookies, no scripts, no flash, no referrer, no blinking text, no nothing. Just the text Ma'am. This proxy rewrites the HTML on the fly ;-). There are a few, very few, sites where I do enable some things, but I've had it with sites that require anything more than basic HTML.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
Come of it, have some pity of the tired beast.
Your definition of consultant is so narrow that no camel will ever go through that needle's eyelet. Not even a mini camel.
Consulting is understood as the poviding of professional srvices in an area, the nature of the gig may be advisory, but can be also doing technical work. What you need is somebody that can fall in a position running. Anybody capable of doing that will fit the definition of most sane people.
In your ayatolhaic zeal you make half a point: people should be knowledgeable in their field of expertise. But the original poster made a point far more important: for a myriad of reasons people that are good enough to put in place a little app may not have the knowledge about how to secure it. That is real life here in the ground, real world so to speak, not in that area deprived of oxygen you seem to be moving in where every engineer or technician wears a shinny armor and has a perfect denture.
The languages and protocols we are using to build the Web are not secure enough, people working on new tools for the Internet ought to take this into account. The next big language, the next big protocol, shoud do as the previous poster say: protect the developper against himself.
IANAL but write like a drunk one.
SPI Dynamics (featured heavily in the article) released a proof of concept for scanner internal networks using JavaScript last week. Proof of concept: http://www.spidynamics.com/spilabs/js-port-scan/ Whitepaper: http://www.spidynamics.com/assets/documents/JSport scan.pdf
While there are a few false positives on my home network, it finds all the Apache and IIS boxes at work!
Questions:
At our comanpy, we just got the internet connected last week, it is
a shared computer in the hall way. For the whole floor.
Cool man